[14042] in cryptography@c2.net mail archive
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sat Sep 6 19:14:30 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 06 Sep 2003 19:33:55 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Wei Dai <weidai@weidai.com>
Cc: Anton Stiglic <astiglic@okiok.com>,
Joshua Hill <josh-crypto@untruth.org>,
Rich Salz <rsalz@datapower.com>, cryptography@metzdowd.com
In-Reply-To: <20030905180209.E30928@weidai.com>
Wei Dai wrote:
> On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote:
>
>>You are correct, I just saw Crypto++ in the list of FIPS 140 validated
>>modules:
>>http://csrc.nist.gov/cryptval/140-1/140val-all.htm
>>It is the latest entry, added today.
>>Congratulations to Wei Dai!
>
>
> Thanks! Also thanks to Groove Networks (the company I work for) for
> spending the money to do the validation.
>
>
>>OpenSSL`s *source code* being evaluated remains exiting.
>
>
> If OpenSSL source code gets validated, I'm going to be very surprised.
Prepare to be very surprised, then.
> NIST told us in no uncertain terms that only compiled executable code
> could be validated. In fact they wouldn't even validate Crypto++ as a
> static library despite an earlier verbal agreement that a static
> library was ok. It had to be turned into a DLL at the last moment (i.e.
> during the review phase).
This is all good fun, coz I'm mandating static libraries for OpenSSL, so
that the evidential chain can be maintained (its hard to find a DSO in a
cross-platform manner so you can checksum it).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
